I have helped with many sales opportunities where there are Request For Proposals (RFP), or other types of questionnaires that are supposedly written to let the purchaser find out which products can meet the projects, or programs requirements. If you have been through this yourself, you know these are rarely written by the people that will actually be operating the tools. It is a very similar experience to reading job requirements written by an HR team that doesn’t know what they are really hiring for, but they have a template and a passion for filling it out.
“Wanted, a Junior Software Developer. Must have a Master’s Degree in Computer Science, 10 years experience in the newest technologies, and be a champion Samba dancer.”
When you read a lot of these you start to recognize what is really being asked for, or at least which direction you need to go. At this point you buckle down, answer the questions to pass the first set of eyes that is only looking for any “no” responses, but you also add clarifying terms to make sure the folks that originally requested the information or proposal get the depth they need to make a decision.
At this point you may be thinking, that’s great. You answered their questions. But hold on. It isn’t about being able to actually do the thing that was originally requested. It is about being able to almost do it, and also be cheaper than any other solution out there, even solutions that don’t actually meet the requirements but that made it through the first set of eyes, so it must work because they said yes to everything. As in, “Yes, we would like to be able to solve this problem someday.”
The saying, “Lowest Cost, Technically Acceptable” (LC;TA) may be the cause of more failures and breaches than any other accepted practice in Information Security. This lines up with compliance being the bar to hit, and not the bare minimum. When you build out an environment to check a box, but not to perform the actual task required, you will inevitably fail. If you build a fighter jet with the LC;TA mentality, you will have them falling out of the sky, unable to complete their mission. The same holds true for Information Security.
Let’s stop building things to fail by default. Let’s stop accepting that “Technically Acceptable” is…well, acceptable. Let’s push back on the powers that be, and let them know if they want to truly secure their environments against adversaries that are motivated, highly skilled and have time on their side, we need the right tools, the right people and freedom to build them. If they don’t, we may need to start walking away from the keyboard and find organizations that will.
/rant